From ${URL} : A flaw was found in the way GNUstep's gdomap (GNUstep Distributed Objects nameserver) handled logging. A remote attacker could send a crafted request to gdomap that would cause gdomap to abort. This issue affects version 1.24.6 and earlier versions. Upstream bug: https://savannah.gnu.org/bugs/?41751 Upstream patch: http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Tools/gdomap.c?r1=37756&r2=37755&pathrev=37756 References: http://seclists.org/oss-sec/2014/q2/143 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
gnustep-base/gnustep-base-1.24.6-r1 is now in ~arch, with the backported fix. As gnustep-base/* packages usually need to go stable in formation, I'll check and make a stabilization list to go along with gnustep-base-1.24.6-r1 (1.24.6 was ready for stabling anyway)
gnustep packages work fine enough here with current stable packages and =gnustep-base/gnustep-base-1.24.6-r1, no need to stable other gnustep-* packages for this security bug =gnustep-base/gnustep-base-1.24.6-r1 is good for security stabling, target arches: amd64, ppc, sparc, x86
Arches, please test and mark stable: =gnustep-base/gnustep-base-1.24.6-r1 Target Keywords : "amd64 ppc spark x86" Thank you!
amd64 stable
ppc stable
sparc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions removed from tree
Maintainer(s), Thank you for cleanup! Security please Vote!
GLSA VOTE: Yes
CVE-2014-2980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2980): Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run in daemon mode, does not properly handle the file descriptor for the logger, which allows remote attackers to cause a denial of service (abort) via an invalid request.
YES too, request filed.
This issue was resolved and addressed in GLSA 201412-20 at http://security.gentoo.org/glsa/glsa-201412-20.xml by GLSA coordinator Sean Amoss (ackle).